As we mentioned in the introduction to this blog series, SecureState has reviewed years of data in order to develop these attack vector results. By a decisive margin, weak passwords is clearly the leading attack vector. Weak Passwords have plagued organizations from day one; however, the startling trend is not the attack vector itself, but the proliferation of bad habits which have been ingrained into our users over the years.
Over the past three years SecureState has seen a steady increase in the ability to exploit weak passwords in order to gain access to critical systems. This trend is heightened by the fact that many Security Awareness programs often overlook the fact that conventional reminders passwords fail, and that many corporate policies about the complexity of password creations have failed. Users have found that changing a single digit, using a seasonal term, or even the organization’s name and current year passes most complexity requirements. These patterns we have created attempted to fix a problem years ago, but with the progression of tools and the processing power of computers, these types of passwords stand no chance at defending our most treasured information.
The only true resolution to such an issue is to develop a process, which includes changes to Security Awareness training, migrate from the use of passwords and begin using passphrases that have a length to greater than 14 characters, and revise the complexity requirements. While these measures are great, an organization needs to test that users have not found a way to bypass the intent of the policies by creating “easy” to remember passwords.
In order to defend against weak passwords, an organization needs to take a number of precautions. An organization must have a strict document control process that includes scrubbing of all metadata prior to the public release of any documents. Attackers pull these documents and recover the metadata in an attempt to gain the usernames of employees. By leaving this information in the documents, we provide the attackers a roadmap on how our user structure is framed.
Along with the scrubbing of metadata, organizations must implement quarterly authentication assessments that put users’ passwords up against known weak passwords and those passwords dumped from previous breaches. These assessments provide earlier detection of bad habits that result in weak passwords or passwords used in other environments (shared passwords).
Lastly, when possible, Two-Factor Authentication is one of the best assets an organization can implement against weak passwords. The technology today has not only made Two-Factor Authentication affordable to an organization but the implementation is less invasive than ever before. By combining these three defenses, we have developed a vaccine against the plague of weak passwords, leaving the attacker to go on to other attack vectors, and ultimately providing the organization a greater chance of notification that the attacker is attempting to gain access.